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ARCHITECTURE FOR ENCRYPTED APPLICATION INSTALLATION 

Technical Field of the Invention 

The present invention relates to methods for 
providing, and systems arranged to provide, an applica- 
tion to be executed on a device, the device being 
5 arranged with a secure environment to which access is 
strictly controlled by. a device processor. 

Background Art 

Various electronic devices, such as mobile tele- 

10 communication terminals, portable computers and PDAs 
require access to security related components such as 
application programs, cryptographical keys, cryptogra- 
phical key data material, intermediate cryptographical 
calculation results, passwords, authentication of exter- 

15 nally downloaded data etc. It is often necessary that 
these components, and the processing of them, is kept 
secret within the electronic device. Ideally, they shall 
be known by as few people as possible. This is due to the 
fact that a device, for example a mobile terminal, could 

2 0 possibly be tampered with if these components are known. 

Access to these types of components might aid an attacker 
with the malicious intent to manipulate a terminal. 

Therefore, a secure execution environment is intro- 
duced in which environment a processor within the elec- 
25 tronic device is able to access the security related 

components. Access to the secure execution environment, 
processing in it and exit from it should be carefully 
controlled. Prior art hardware comprising this secure 
environment is often enclosed within a tamper resistant 

3 0 packaging. It should not be possible to probe or perform 

measurements and tests on this type of hardware which 
could result in the revealing of security related compo- 
nents and the processing of them. 

o o « i :.: o 4 \ \4 ■■, > v : ?<oj * \ a o. ■ r fon a v ■: un AJJDMpGQBTy p.ics h vl* ■ *?o k t a ».'op k*ra r : nu 
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Providers of application programs encrypt the 
programs so as to create tamper resistant software. Only 
when the application program code is executed in a secure 
environment, the code is decrypted and managed as plain 
5 text . 

David Lie et al , "Architectural Support for Copy and 
Tamper Resistant Software" , published in Proceedings of 
the 9th International Conference on Architectural Support 
for Programming Languages and Operating Systems (ASPLOS- 

10 IX), November, 2000, Pp 169—177 discloses a system called 
XOM, execute Only Memory. Every XOM processor has a 
public/private key pair, and the private key is kept in 
hardware and known only to the processor, not to the 
owner of the processor or anyone else. When XOM software 

15 is purchased, the software undergoes encryption, by means 
of this public/private key pair. The executable code is 
decrypted by the processor just before execution and the 
plaintext code never leaves the processor chip. A problem 
with this type of architecture is that the application • 

20 providers have very limited possibilities to define the 
way the application is handled during application 
installation. 

Summary of the Invention 

25 It is an object of the present invention to mitigate 

the above stated problem, as well as providing a system 
which facilitates modifications in key management and 
encrypt ion systems . 

This object is achieved by methods for providing an 

3 0 application to be executed on a device, the device being 
arranged with a secure environment to which access is 
strictly controlled by a device processor, according to 
claim 1 and claim 2 and systems arranged to provide an 
application to be executed on a device, the device being 

35 arranged with a secure environment to which access is 

strictly controlled by a device processor, according to 
claim 8 and claim 9. 
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According to a first aspect of the invention, a 
method is provided in which the device is provided with 
an encrypted application and, via a secure channel into 
the secure environment, a first key for decrypting the 
5 encrypted application. The encrypted application is 

decrypted in the secure environment by means of the first 
key. Further, the application is re-encrypted in the 
secure environment by means of a second key and the re- 
encrypted application is then stored outside the secure 

1 0 environment . 

According to a second aspect of the invention, a 
method is provided in which the device is provided with 
an encrypted application and, via a secure channel into 
the secure environment, a first key for decrypting the 

15 encrypted application. Further, the first key is encryp- 
ted in the secure environment by means of a second key 
and the encrypted key is then stored outside the secure 
environment . 

According to a third aspect of the invention, a 
2 0 system is provided, wherein means is arranged to provide 
the device with an encrypted application and, via a 
secure channel into the secure environment, a first key 
for decrypting the encrypted application. Means is 
arranged to decrypt the encrypted application in the 

2 5 secure environment using the first key. Further, means is 

arranged to re-encrypt the application in the secure 
environment using a second key and the re- encrypted 
application is then stored outside the secure environ- 
ment . 

3 0 According to a fourth aspect of the invention, a 

system is provided, wherein means is arranged to provide 
the device with an encrypted application and, via a 
secure channel into the secure environment, a first key 
for decrypting the encrypted application. . Further, the 
3 5 means is arranged to encrypt the first key in the secure 
environment using a second key and the encrypted key is 
then stored outside the secure environment. 

:;uCn i'i2 Oi IV 4. J Vr'rIOKiA '.'.'UFKiKAn 0?J V^KIiI.KCf'UA.r. t'WH'KP.rf R ; '.GHT'£ nor: A O.I P. POP AT 1 ON 
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The invention is based on the idea that' an applica- 
tion is downloaded to a device which is arranged to 
execute the application. The application is divided into 
an installation part that establishes proper set up of 
5 the application and a protected part which is to be 

executed in the secure environment. The installation part 
produces an encrypted application, i.e. the protected 
part, and keys for decrypting it. The installation part 
might be encrypted using some arrangement known in the 

10 prior art. In this phase of the application installation, 
the downloaded data is held in a part of the device 
having milder security requirements than the secure 
environment. This part is hereinafter referred to as the 
unsecure environment. When the application is downloaded 

15 into the device, the installation part establishes a 

secure channel with a server that, on the secure channel, 
provides a first key into the secure environment of the 
device, with which first key it is possible to decrypt 
the encrypted application. It might be necessary for the 

20 device to authenticate itself in order to receive the 
first key. When the encrypted application is to be 
executed, it is loaded into the secure environment and 
decrypted by the first key. The application is now in 
plain text and can be executed. When there is no desire 

25 to execute the application, it is re-encrypted by means 
of a second key and stored outside the secure environ- 
ment, i.e. in the unsecure environment. An advantage with 
this inventive idea is that the application provider has 
the freedom to control the decryption of the application 

30 software. Since it is performed in the secure environ- 
ment, the owner of the device, the device being e.g. a 
mobile phone, is unable to access the application and 
thereby copy, read or manipulate it. Moreover, the 
application provider handles the installation of the 

3 5 encrypted application and the key for decrypting the 

application, and is thus given the possibility to handle 
the encryption/decryption schemes and the^Jkey management. 

:>U0* - ft2-04 V:\NOI-lA CORPORA V I ON ■ tiVF, \ ■ I iKC Fllftfj t'POl'tfPTT PJGHVii' WOKi.A PORAT'lON 
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The only part that has to stay fixed is the loading part 
of the application, i.e. the part of the application 
which loads data into the secure environment and handles 
the decryption of the encrypted application. A further 
5 advantage is that the application can be re-encrypted in 
the secure environment by a second key and stored outside 
the secure environment. When the application is not 
executed, it is not stored in the secure environment. 
Secure environment memory is relatively expensive 

10 compared to unsecure environment memory located. As soon 
as the application is to be executed again, the re- 
encrypted application is loaded into the secure environ- 
ment and decrypted by means of the second key. 

According to an embodiment of the invention, the 

15 first key is encrypted in the secure environment by means 
of the second key. The encrypted first key is then stored 
outside the secure environment. This embodiment has the 
advantage that the first key can be used in future 
downloads of applications. All that has to be done is to 

2 0 encrypt the first key in the secure environment with the 
second key and store the encrypted first key outside the 
secure environment. The first key can then be used to 
decrypt a downloaded encrypted application in the secure 
environment. This is done by loading the encrypted first 

2 5 key into the secure environment and decrypting it with 

the second key. This means that the installation step, 
including setting up a secure channel, of the first key 
need not be employed. This is particularly useful in 
production and/or in the development phase, wherein a 

3 0 large number of applications might be downloaded to the 

device in a rather short time. 

According to another embodiment of the present 
invention, the second key is symmetric and derived from 
the application in such a way that the second key is 
35 comprised in the application itself and extracted when 

the application is loaded into the secure environment and 
- decrypted by thenfirst key. This has the advantage that 
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the .application provider is given the freedom to decide 
which key to be used 'in the encryption/decryption rela- 
ting to the second key. The second key management can 
then be controlled by the application provider. The fact 
5 that the second key is symmetric implies that the encryp- 
tion/decryption using the second key will be less compu- 
tationally demanding compared to if it had been asymme- 
tric . 

According to yet another embodiment of the present 
10 invention, the second key is symmetric and derived from 
the application using an application seed. By using an 
application seed in the form of, for example, an applica- 
tion serial number, it is possible to create the second 
key. The serial number is encrypted by means of an appro - 
15 priate algorithm in the secure environment using a device 
generated static key, and this operation creates the 
symmetric second key. This embodiment has the advantage 
that the second key must not be distributed, but it can 
be generated rather easy in the secure environment. 

2 0 Further features of, and advantages with, the 

present invention will become apparent when studying the 
appended claims and the following description. Those 
skilled in the art realize that different features of the 
present invention can be combined to create embodiments 
25 other than those described in the following. Many 

different alterations, modifications and combinations 
will become apparent for those skilled in the art. The 
described embodiments are therefore not intended to limit 
the scope of the invention, as defined by the appended 

3 0 claims. 

Brief Description of the Drawings 

The present invention will be described in greater 
detail with reference to the following drawings, wherein: 
35 Fig. 1 shows a block scheme of a device architecture 

for providing data security in which device the present 
invention advantageously canHbe- applied; 

2u0 3 U2 0 3 13:-! 'S V : t Ni'iRIA 00KP0HA IT ON I W VF.hUF.CT0hh I'VUPrW I HIGH t'S A O'lN fc'OPA H ON 

_vt.;MA vU:.!TU^!i ujySAWT^ArLTOXi'ATKKrx r^^ailii j V\ t J ' :T\2UMl 201. 'A'* UU).'.MU 9 Appijcal ion MEN 



PCT/IB03/00343 



7 

Fig. 2 shows a block scheme of how the encrypted 
application is loaded into the secure environment and 
decrypted into plain text, i.e. into executable form, 
according to an embodiment of the invention; and 
5 Fig. 3 shows how the symmetric second key is derived 

from the application according to an embodiment of the 
invention. 

Description of Preferred Embodiments of the Invention 

10 A device architecture for providing data security is 

shown in Fig. 1. Such a system is further disclosed in 
the Applicant's international patent applications 
PCT/IB02/03216 , which application is incorporated herein 
by reference. The device is implemented in the form of an 

15 ASIC (Application Specific Integrated Circuit) 101. The 
processing part of the architecture contains a CPU 103 
and a digital signal processor (DSP) 102. 

The secure environment 104 comprises a ROM 105 from 
which the ASIC 101 is booted. This ROM 105 contains boot 

20 application software and an operating system. Certain 

application programs residing in the secure environment 
104 has precedence over other application programs. In a 
mobile telecommunication terminal, in which the ASIC 101 
can be arranged, a boot software should exist, which 

25 software includes the main functionality of the terminal. 
It is not possible to boot the terminal to normal opera- 
ting mode without this software. This has the advantage 
that by controlling this boot software, it is also 
possible to control the initial activation of each 

3 0 terminal . 

The secure environment 104 also comprises RAM 106 
for storage of data and applications. The RAM 106 
preferably stores so called protected applications, which 
are smaller size applications for performing security 

35 critical operations inside the secure environment 104. 

Normally, the way to employ protected applications is to 
let ''normal" applications request service§>€rom a certain 
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protected application. New protected applications can be 
downloaded into the secure environment 104 at any time, 
which would not be the case if they would reside in ROM. 
Secure environment 104 software controls the download and 
5 execution of protected applications. Only signed protec- 
ted applications are allowed to run. The protected 
applications can access any resources in the secure 
environment 104 and they can also communicate with normal 
applications for the provision of security services. 

10 In the secure environment 104, a fuse memory 107 is 

comprised containing a unique random number that is gene- 
rated and programmed into the ASIC 101 during manufactu- 
ring. This random number is used as the identity of a 
specific ASIC 101 and is further employed to derive keys 

15 for cryptographic operations. The architecture further 

comprises a standard bridge circuit 109 for limitation of 
data visibility on the bus 108. The architecture should 
be enclosed within a tamper resistant packaging. It 
should not be possible to probe or perform measurements 

2 0 and tests on this type of hardware which could result in 
the revealing of security related components and the 
processing of them. The DSP 102 has access to other 
peripherals 110 such as a direct memory access (DMA) 
unit, RAMs, flash memories and additional processors can 

25 be provided outside the ASIC 101. 

By providing the above described architecture in 
which the CPU 103 is operable in two different modes, one 
secure operating mode and one unsecure operating mode, 
the CPU 103 of the device 101 can be enabled to execute 

30 non-verified software downloaded into the device 101. 

This is due to the fact that only verified software has 
access to the secure environment 104. This allows 
testing, debugging and servicing of the mobile tele- 
communication terminal and its software without risking 

35 that a third party is given access to information which 
makes it possible to manipulate the security related 
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components of the device 101 so as to affect the security- 
functions when in the secure environment 104. 

In the secure mode, the processor 103 has access to 
security related data located within the secure environ- 
5 ment 104. The security data include cryptographical keys 
and algorithms, software for booting the circuitry, 
secret data such as random numbers used as cryptographi- 
cal key material, application programs etc. The device 
101 can advantageously be used in mobile telecommuni- 

10 cation terminals, but also in other electronic devices 
such as computers, PDAs or other devices with need for 
data protection. The access to these security data and 
the processing of them need to be restricted, since an 
intruder with access to security data could manipulate 

15 the terminal. When testing and/or debugging the terminal, 
access to security information is not allowed. For this 
reason, the processor 103 is placed in the unsecure 
operating mode, in which mode it is no longer given 
access to the protected data within the secure 

2 0 environment 104. 

Fig. 2 shows a block scheme of how the encrypted 
application is loaded into the secure environment and 
decrypted into plain text, i.e. into executable form. 
First, an application 202 is loaded 211 into a device 201 
25 which is arranged to execute the application 202. The 

application 202 is divided into an installation part 203 
that establishes proper set up of the application 2 02 and 
a protected part 2 04 which is to be executed in the 
secure environment 205. The installation part 203 

3 0 produces an encrypted application, i.e. the protected 

part 204, and keys for decrypting it. The installation 
part 203 is not encrypted. At this stage of the installa- 
tion, the application 202 is held in the unsecure envir- 
onment 206. When the application 202 is loaded into the 
35 device 201, the installation part 203 establishes a 

secure channel 207 with a server 208 that, on the secure 
chaiMel 207, provides a first key into fcfee secure 
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environment 205 of the device 201, with which first key 
it is possible to decrypt the encrypted application 204. 
The secure channel 2 07 can be created in a number of 
different ways. It is, for example, possible to encrypt 
5 the first key at the server 2 08 by using the public key 
of the device 201. It is decrypted with the private key 
of the device 201 in the secure environment 205. Thus, a 
secure channel is provided. It is also possible to use 
the SSL protocol to transfer the first key into the 

10 secure environment 205. The key issue is that the first 
key is encrypted in such a way that a third party is 
unable to eavesdrop on the channel 207 and catch a plain 
text version of the first key. When the encrypted 
application 204 is to be executed, it is loaded into the 

15 secure environment 2 05 and decrypted by the first key. 
The protected application is now in plain text 209 and 
can be executed. When there is no desire to execute the 
plain text application 209 in the secure environment 205, 
it is re -encrypted by means of a second key and stored in 

20 the unsecure environment 206. 

The second key is symmetric and can be derived from 
the application in different ways. Referring to Fig. 3, 
which shows the application 301 that is downloaded to the 
device 3 05, including the installation part 3 02 and the 

25 protected application part (also referred to herein as 

the encrypted application) 303. The second key is denoted 
by 304 and is attached to the application code itself. 
Note that the second key forms part of the protected 
application 303 and is consequently also encrypted by 

3 0 means of the first key. The second key is extracted when 
the protected application 303 is loaded into the secure 
environment 3 06 and decrypted by the first key. The 
application 307 as well as the second key 308 is then in 
plain text. The second key can also be derived from the 

35 application using an application seed. By using an 

application seed in the form of, for example, an applica- 
tion serial nurateer, it is po_ssible to create the s^jpond 
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key. The serial number is encrypted by means of an 
appropriate algorithm in the secure environment using a 
device generated static key, and this operation creates 
the symmetric second key. This operation is called 
5 diversification . 

Referring again to Fig. 2, according to an 
embodiment of the invention, the first key is encrypted 
in the secure environment 2 05 by means of the second key. 
The encrypted first key is then stored in the unsecure 

10 environment 206. This embodiment has the advantage that 

the first key can be used in future downloads of applica- 
tions 202. All that has to be done is to encrypt the 
first key in the secure environment 2 05 with the second 
key and store the encrypted first key in the unsecure 

15 environment 206. The first key can then be used to 

decrypt a downloaded encrypted application 204 in the 
secure environment 205. This is done by loading the 
encrypted first key into the secure environment 2 05 and 
decrypting it with the second key. The protected applica- 

20 tion 204 is then decrypted with the first key. This means 
that the installation step, including setting up a secure 
channel 207, of the first key need not be employed. This 
is particularly useful in production and/or in the 
development phase, wherein a large number of applications 

2 5 2 02 might be downloaded to the device 2 01 in a rather 

short time. In production and/or in the development 
phase, it is also advantageous to transfer multiple keys 
successively on the secure channel into the secure 
environment, since each key later can be used to decrypt 

3 0 an encrypted application that corresponds to that key the 

in the secure environment. 

It should be noted that the above mentioned embodi- 
ments exemplify the invention, and that those skilled in 
the art will be able to design many alternative embodi- 
3 5 ments without departing from the scope of the appended 
claims. The word "comprising" does not exclude the 
^presence of - elements or s€^5fe other than those listed in 
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a claim. The word "a" or "an" preceding an element does 
not exclude the presence of a plurality of such elements 
In the device claims enumerating several means, several 
of these means can be embodied by one and the same item 
of hardware . 
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CLAIMS 

1. A method for providing an application to be 
executed on a device, the device being arranged with a 
secure environment to which access is strictly controlled 

5 by a device processor, the method comprising: 

providing the device (2 01) with an encrypted 
application (204) ; 

providing, via a secure channel (207) into the 
secure environment (205) , the device (201) with a first 
10 key for decrypting said encrypted application (204) ; 

decrypting, in the secure environment (205) , said 
encrypted application (204) by means of said first key; 

re -encrypting, in said secure environment, the 
application (209) by means of a second key; and 
15 storing, outside said secure environment, the re- 

encrypted application. 

2. A method for providing an application to be 
executed on a device, the device being arranged with a 

20 secure environment to which access is strictly controlled 
by a device processor, the method comprising: 

providing the device (2 01) with an encrypted 
application (204) ; 

providing, via a secure channel (207) into the 
25 secure environment (205) , the device (201) with a first 
key for decrypting said encrypted application (204) ; 

encrypting, in said secure environment (205) , said 
first key by means of a second key; and 

storing, outside said secure environment (205) , the 
3 0 encrypted first key. 



3. The method according to claim 1, the method 
comprising: 

encrypting, in said secure environment (2 05) , said 
3 5 first key by means of the second key; and 

storing, outside said secure environment (205) , the 
-encrypted fi^rst key. - 
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4. The method according to claim 1 or 2 , wherein 
said second key is symmetric and can be derived from the 
application (202) . 

5. The method according to claim 4, wherein said 
second key is comprised in the application (202) itself. 

6. The method according to claim 4, wherein said 
second key is generated in the secure environment (2 05) 
using an application seed. 

7 . The method according to any of the previous 
claims, wherein multiple keys can be transferred 
successively on the secure channel into the secure 

15 environment, each key being used to decrypt a 

corresponding encrypted application in the secure 
environment . 

8. A system arranged to provide an application to be 
2 0 executed on a device, the device being arranged with a 

secure environment to which access is controlled by a 
device processor, the system comprising: 

means for providing the device (2 01) with an 
encrypted application (204) ; 
2 5 means for providing, via a secure channel (207) into 

the secure environment (205) , the device (201) with a 
first key for decrypting said encrypted application 
(204) ; 

means for decrypting, in the secure environment 
30 (205) , said encrypted application (204) by means of said 
first key; 

means for re -encrypting, in said secure environment, 
the application (209) by means of a second key; and 

means for storing, outside said secure environment, 
35 the re-encrypted application. 
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9. A system arranged to provide an application to be 
executed on a device, the device being arranged with a 
secure environment to which access is controlled by a 
device processor, the system comprising: 

5 means for providing the device (2 01) with an 

encrypted application (204) ; 

means for providing, via a secure channel (207) into 
the secure environment (205) , the device (201) with a 
first key for decrypting said encrypted application 
10 (204) ; 

means for encrypting, in said secure environment 
(205) , said first key by means of a second key; and 

means for storing, outside said secure environment 
(205) , the encrypted first key. 

15 

10. The system according to claim 8, the system 
comprising: 

means for encrypting, in said secure environment 
(205) , said first key by means of the second key; and 

2 0 means for storing, outside said secure environment 

(205) , the encrypted first key. 

11. The system according to claim 8 or 9, wherein 
said second key is symmetric and can be derived from the 

25 application (202) . 

12. The system according to claim 11, wherein said 
second key is comprised in the application (202) itself. 

30 13. The system according to claim 11, wherein said 

second key is generated in the secure environment (205) 
using an application seed. 

14. The system according to any of the claims 8-13, 

3 5 wherein the system is arranged such that multiple keys 

can be transferred successively on the secure channel 
into the secure environment, each key being used to 
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decrypt a corresponding encrypted application in the 
secure environment . 
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ABSTRACT 

The present invention relates to methods to control, 
and systems arranged to control, the decryption of a 
provided encrypted application in a device executing the 
5 application, the device being arranged with a secure 

environment to which access is strictly controlled by a 
device processor. The invention is based on the idea that 
the application is divided into an installation part that 
establishes proper set up of the application and a 

10 protected part which is to be executed in the secure 

environment. An advantage with the invention is that the 
application provider has the freedom to control the 
decryption of the application software. Since it is 
performed in the secure environment, the owner of the 

15 device, is unable to access the application and thereby 
copy, read or manipulate it. Moreover, the application 
provider handles the installation of the encrypted 
application and the key for decrypting the application, 
and is thus given the possibility to handle the 

20 encryption/decryption schemes and the key management. 
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